Method and arrangement for the comparison of technical system by means of system replacements

ABSTRACT

The invention permits a comparison of two technical systems, which according to conventional opinion is not possible to carry out, based on a substantially simpler, technically achievable comparison, in which part systems of one or both systems are specifically replaced. The replacements are performed in a controlled manner by monitoring a replacement condition with constraints. The monitoring of the replacement condition and the generation and monitoring of the necessary constraints occur automatically. A comparison of both systems can thus be carried out based on the replacement of the part systems without introducing a loss of precision in the comparison.

[0001] The invention relates to a method for the comparison of technical systems to check functional equivalence by means of system replacements.

[0002] As is known, even minor internal behaviour differences can easily lead to failure in the comparison of technical systems, in particular if large and complex systems are concerned.

[0003] In the case of such larger technical systems as, for instance, Application Specific Integrated Circuits (ASICs), at present there is no durable and satisfactory method of solving this problem.

[0004] Depending on the particular scope of application, there are a few known ideas to solve this problem.

[0005] A possible scenario, in which the above problem can occur, is implementation verification, when the synthesis results are to be compared to the synthesis inputs, in order to ensure that the synthesis process has not introduced any modifications into the functionality of the synthesis inputs.

[0006] Here especially the handling of so-called “library cells”, which serve as a simple way to illustrate the synthesis result, has shown to be problematic. Here, a large degree of freedom exists for modelling the internal behaviour of the library cells.

[0007] A popular method now consists of modifying the internal logic based on heuristics and in particular encoding of the internal states of the library cells so that the internal behaviour of the parts representing the library cell is exactly evident from the synthesis inputs.

[0008] Since these techniques work without knowledge of the synthesis inputs exclusively on the library cells and due to the extraordinarily large number of possible uses of library cells it is hardly to be avoided that this procedure is incomplete and error-prone.

[0009] Suitable modelling of library cells, however, is the basic pre-requisite for successful implementation verification.

[0010] An example of a known solution is FormalPro (TM) software, an implementation verification tool developed by the firm Mentor Graphics. This uses heuristics, in order to deal with various problem scenarios in regard to library cells (see in this connection Hughes, Roger B.: Whole design formal verification of a 5-million gate design by equivalence checking is possible with a small memory footprint, DesignCon2000, February 2000).

[0011] Essentially, as a result of this idea, an attempt is made to find a standard format to illustrate the library cells. This solution moreover supports the aforementioned statement, according to which library cells represent a special problem.

[0012] The solution proposed by the invention overcomes these fundamental problems and can be used in numerous application scenarios.

[0013] It is, therefore, a primary object of the present invention to find an idea to support the comparison of technical systems, which is also feasible if the systems being compared deviate from one another in regard to their internal behaviour. This should also apply in particular to the aforementioned, problematic library cells.

[0014] In accordance with the present invention, this object is achieved by a method for the comparison of technical systems to check equal functionality by means of system replacements with a first technical system and a replacement system, whereby the following process steps are carried out to establish agreement between both systems:

[0015] a) automatic monitoring as to whether the first technical system can be replaced by the replacement system with a replacement condition, according to which it is not possible for any environment of the technical systems to find a functional difference between the first technical system and the replacement system when the respective interfaces are accessed.

[0016] b) otherwise automatic constraint of the behaviour of the environment of both systems and renewed monitoring of the replacement condition with the restricted environment,

[0017] c) repetition of process step b) until the replacement condition can be demonstrated or no further constraint of the environment is possible.

[0018] The basic idea of this invention is, therefore, essentially that modifications to technical systems are frequently of a very local nature and can be limited to certain areas of the systems. In many application scenarios, the modified areas are known and can be placed in relation to their original form. Therefore, modified critical parts of an entire system can then be identified and replaced by a non-critical replacement system.

[0019] For this purpose, a check is made for a given technical system and a given replacement system as to whether the technical system can be replaced by the replacement system. The replacement condition is selected so that it is not possible for any environment of the technical system to find a difference between the technical system and the replacement system, if for said monitoring only the interfaces of the technical system or its replacement system may be accessed.

[0020] Therefore, it is ensured that the technical system and its replacement system behave identically at their interfaces under all operating conditions.

[0021] If the replacement condition is not fulfilled, then constraints are generated automatically in the behaviour of the environment, so that the replaceability of the two systems can nevertheless be ensured with these constraints.

[0022] A first advantageous configuration of the method in accordance with the present invention is characterized in that the environment of the two technical systems being compared is restricted, by monitoring these for values potentially appearing at their outputs and by reducing the environment by such input values, which entail an output value, which cannot be generated by the other system under any circumstances.

[0023] A further or alternative embodiment of the invention performs a constraint of the environment of the two technical systems being compared by forming that classes of inputs and by restricting the environment is restricted in such a way that inputs of different classes do not change at the same time. This can occur both as an alternative to the aforementioned possibility of constraint, and as a supplementary measure, if the first mentioned constraint does not lead to success, that is to say the replacement condition cannot be demonstrated.

[0024] In this case, it has been shown as advantageous if classes of inputs are progressively partitioned until the replacement condition can be demonstrated or no further partitioning is possible.

[0025] Formally, replaceability can also be understood as a special case of replaceability with constraints, if the constraints are logically always true, that is to say fulfilled by any environment.

[0026] Therefore, advantageously such constraints are always automatically monitored as to whether these are logically always true for any environment. Constraints in the environment are best monitored automatically using a tool, which already exists. If the constraints are fulfilled in the environment being monitored, then the replacement system is replaced whenever the technical system appears.

[0027] As a result, the comparison of two entire systems is reduced to the comparison of two systems, in regard to which one or more part systems have been replaced in relation to the original entire systems.

[0028] It is important and advantageous in this case that, despite said replacements, no loss of precision is introduced in the comparison.

[0029] The basic idea of the invention, therefore, is to reduce a comparison of two technical systems which according to conventional opinion is not possible to a substantially simpler, technically achievable comparison in which part systems of one or both systems are specifically replaced. The replacements are performed in a controlled manner by monitoring a replacement condition with constraints. The monitoring of the replacement condition just as the generation and monitoring of the necessary constraints occur automatically. A comparison of both systems can thus be carried out based on the replacements of the part systems, without introducing a loss of precision in the comparison.

[0030] The choice of the replacement system essentially depends on the application scenario. To assist understanding, an embodiment for implementation verification of a digital technical system is described below based on the library cells already identified as being problematic. Alongside this and in association with the figure, further advantages and details of the invention are clarified, where:

[0031]FIG. 1 shows a diagrammatic representation of implementation verification based on replacements of library cells in accordance with the invention.

[0032] Firstly, for this purpose, the replacement condition E (safe replaceability) of technical systems is dealt with in greater detail. Such a replacement condition E for a technical system, which is represented by finite state systems (FSMs), has already been defined in “Pixley, Carl; Singhal, Vigyan; Aziz, Adnan; Brayton, Robert K.: multi-level synthesis for safe replaceability; ICCAD94, pages 442-449, 1994”.

[0033] Further basic principles are evident from:

[0034] Hasteer, Gagan; Mathur, Anmol; Banerjee, Prithviraj: an implicit algorithm for finding steady states and its application to FSM verification; DAC98, pages 611-614, 1998.

[0035] Singhal, Vigyan; Pixley, Carl: the verification problem for safe replaceability, CAV94, pages 311-323, 1994.

[0036] Singhal, Vigyan; Pixley, Carl; Rudell, Richard L; Brayton, Robert K.: the validity of retiming sequential circuits. DAC95, pages 316-321, 1995.

[0037] The definition presented below extends the term of replaceability to replaceability with constraints.

[0038] Definition:

[0039] A technical system FSM1 is called replaceable by a technical system FSM0 with the constraint C (FSMI ⊂c FSM0), if a state S0 of the system FSM0 exists for each state S1 of the system FSMI and for each sequence of input values, so that both the constraint C is considered by the sequence of input values observed and the sequence of the output values for S0 also agrees at the same time with the sequence for S1 for the input sequence observed.

[0040] It can be shown that this definition is a necessary and sufficient condition for the replaceability of technical systems, so that the replacement cannot be detected by any environment, in which the constraint C applies and which is only able to analyze the input or output values of FSMI or FSM2.

[0041] The replacement condition according to the above definition can be demonstrated mathematically in numerous ways. Known automated methods include, for example, BDD, ROBDD, ATPG, SAT or also simulation-based methods.

[0042] In accordance with the invention, the constraint C is determined from the aforementioned definition by monitoring the systems for values potentially appearing at their outputs. Those input values, which—irrespective of internal states—(can) entail an output value, that cannot be generated under any circumstances by the other system, are then added to the constraint C.

[0043] If the replacement condition cannot be demonstrated by means of the constraints described above via the permitted input values, then classes K of inputs are formed and the constraint C is included, so that inputs from different classes K will not change at the same time. The partitioning process into classes K continues, until the replacement condition is finally demonstrated or no further partitioning is possible. In the latter case, the systems cannot be replaced.

[0044] The aforementioned embodiment will now be explained in more detail below.

[0045] As previously mentioned, library cells are an ideal application scenario for the invention presented here.

[0046] For this purpose, FIG. 1 shows the interaction of the various tools in the example of implementation verification of a digital technical system, e.g. for producing an ASIC.

[0047] In the case of the implementation verification of a digital system, the object of comparison consists in checking functional equivalence between the synthesis input RTL (here as FSM0) and the synthesis result ‘netlist’ (here as FSM1). ‘Netlist’ and ‘RTL’ thereby represent the user files UF (user files), where ‘netlist’ is synthesized ‘syn’ from ‘RTL’ by means of the synthesis library ‘db’. The library ‘db’ contains the synthesis models of the library cells and is a component part of the library data files supplied by the LVF (library vendor files) tool developer, which also includes the input formats VHDL ‘.vhd’ and Verilog ‘.v’.

[0048] The implementation verification will now demonstrate that the netlist ‘netlist’ is functionally identical to the synthesis input ‘RTL’ by means of the simulation models ‘sim’ of the library cells. Under this assumption, time-consuming functional simulation of the netlist ‘netlist’ can be avoided and characteristics of the circuit can be checked for‘RTL’. The simulation models in ‘sim’ can have various input formats, such as for instance the VHDL ‘.vhd’ or Verilog ‘.v’ already mentioned.

[0049] It is now problematic that the simulation models ‘sim’ are only aligned with high efficiency of a simulator and their internal realization has no predictable relationship to the internal realization of the synthesis models of the library ‘.db’.

[0050] A synthesis input ‘RTL’, however, has a direct structural relationship to the netlist ‘netlist’ via the synthesis library ‘.db’, since the synthesis process performs so-called mapping of the synthesis cells, in which the internal architecture of the library cells is taken into consideration. Expressed in other words, the internal behaviour of the netlist ‘netlist’ has a direct structural relationship to the synthesis input ‘RTL’ via the synthesis models ‘syn” of the library ‘db’. This structural relationship is a crucial factor in the technical feasibility of formal verification.

[0051] At the same time, there is frequently no structural relationship between ‘RTL’ and ‘netlist’ using the simulation models in ‘sim’. The internal realization of the simulation models can differ within a wide range from the synthesis models in ‘.db’; synthesis models and simulation models only have an equivalent relationship via their input/output behaviour. The CRC tool, which is associated with the invention described here and works accordingly, monitors the replaceability of the synthesis models in ‘syn’ and of the simulation models in ‘sim’ and, if necessary, generates the constraints C required for replaceability or replacement constraints ‘.cns’. In the illustration, ‘syn’ is demonstrative of various representational formats of the synthesis library ‘.db’, thus for example also in regard to the format ‘lib’, which serves as a source for the generation of ‘.db’.

[0052] The constraints generated by CRC are validated from the netlist ‘netlist’ by means of the simulation models in ‘sim’ via an intermediate representation ‘.gat3’ using a tool GP. If the comparison turns out to be positive, then replaceability is ensured and the synthesis models from ‘syn’ are consulted during implementation verification. The further method of implementation verification does not differ from the basic procedure by means of the simulation models from ‘sim’ (in FIG. 1 indicated by intermediate representations ‘.gat1’, ‘.gat2’ as well as the tool GC).

[0053] In first experiments with the method carried out in this way using the CRC tool (CVE replacement checkers), the verification of an ASIC was possible for the first time, which previously could not be checked automatically.

[0054] In other cases, the time required for implementation verification was reduced from a few hours to a few minutes.

[0055] Also, the outputs of synthesis tools in the case of FSM recoding and optimization, as for example used in the design of field programmable gate arrays (FPGAs), are a further promising field of application for the invention presented.

[0056] These synthesis tools are able to generate recoding of the internal states of part systems of the FPGA. To carry out implementation verification of FPGAs—similar to the procedure in the preceding embodiment—the recoded part systems can be replaced by means of the present invention with their originals, in order then to carry out implementation verification. Replaceability of original system and recoded system can again be monitored with the CRC tool, which at the same time also generates the constraints demanded by the environment.

[0057] In principle, therefore, the procedure is the same as that shown in connection with FIG. 1. Only the origin of the replacement system is different. 

1. Method for the comparison of technical systems to check equal functionality, whereby a first technical system (FSM0) is compared with a second technical system by means of system replacements and whereby the following process steps are carried out to establish an equivalent technical functionality of the first technical system (FSM0) and the second technical system: a) automatic monitoring (CRC) as to whether the first technical system can be replaced by the replacement system (FSM1) under a replacement condition (E), according to which it is not possible for any environment of the first technical system (FSM0) and the replacement system (FSM1) to find a functional difference between the first technical system (FSM0) and the replacement system (FSM1) when the respective interfaces are accessed, b) otherwise automatic constraint (C) of the behaviour of the environment of the first technical system (FSM0) and the replacement system (FSM1) and renewed monitoring (CRC) of the replacement condition (E) with the restricted environment, c) repetition of process step b) until the replacement condition (E) can be demonstrated or no further constraint (C) of the environment is possible and d) if the replacement condition (E) could be demonstrated, automatic replacement of the first technical system (FSM0) by the replacement system (FSM1) and comparison of the replacement system (FSM1) with the second technical system to check functional equivalence.
 2. Method for the comparison of technical systems according to claim 1, whereby a constraint (C) of the environment of the two technical systems being compared (FSM0, FSM1) takes place by monitoring these (FSM0, FSM1) for values potentially appearing at their outputs and by decreasing the environment by such input values, which entail an output value, which cannot be generated by the other system under any circumstances.
 3. Method for the comparison of technical systems according to claim 1 or 2, whereby a constraint (C) of the environment of the two technical systems being compared (FSM0, FSM1) takes place by forming classes (K) of inputs and by restricting the environment so that inputs of different classes will not change at the same time.
 4. Method for the comparison of technical systems according to claim 3, whereby progressive partitioning into classes of inputs continues until the replacement condition (E) can be demonstrated or no further partitioning is possible.
 5. Method for the comparison of technical systems according to one of the preceding claims, whereby constraints (C) are always automatically monitored as to whether these (C) are always logically true for any environment. 